Subject: Caldera Security Advisory 96.03: Vulnerability in the dip program

Caldera Security Advisory SA-96.03
July 8th, 1996

Topic: Vulnerability in the dip program

I. Problem Description

  The dip program manages the connections needed for dial-up
  links such as SLIP and PPP. It can handle both incoming and
  outgoing connections.  To gain access to resources it needs to
  establish these IP connections, the dip program is often installed
  as set-user-id root.

  A vulnerability in dip makes it possible to overflow an internal
  buffer whose value is under the control of the user of the dip
  program. If this buffer is overflowed with the appropriate data,
  a program such as a shell can be started. This program then runs
  with root permissions on the local machine.

  Exploitation scripts for dip have been found running on Linux
  systems for X86 hardware. Although exploitation scripts for other
  architectures and operating systems have not yet been found,
  we believe that they could be easily developed.

II. Impact

  On systems such as CND 1.0 and Red Hat 2.1 that have dip installed
  set-user-id root, an unprivileged user can obtain root access.

III. Solution / Workaround

  A simple workaround is to disable the SUID root bit:

    chmod 755 /usr/sbin/dip

  If you must run dip SUID root, place it in a group where it can
  only be executed by trusted users.

  CND 1.0 and Red Hat 2.1 shipped with dip-3.3.7n-2.i386.rpm.  Version
  dip-3.3.7n-3.i386.rpm has the SUID root bit disabled and is available
  via FTP from:

    ftp://ftp.caldera.com/pub/cnd-1.0/updates/dip-3.3.7n-3.i386.rpm

  or the directory

    old-releases/redhat-2.1/i386/updates/RPMS

  from Red Hat or one of its mirror sites:

    ftp.redhat.com:/pub
    ftp.caldera.com:/pub/mirrors/redhat

  The MD5 checksum (from the "md5sum" command) for this RPM is:

    3c94852a8fb636aa9b5407cae155e2ae  dip-3.3.7n-3.i386.rpm

  Note that this problem was announced in January 1996.  It has regained
  attention since CERT finally issued an advisory for this problem
  today.  Code to exploit this problem has also been publicly
  reposted today.

  Another option (untested at Caldera) is to install
  
    dip-3.3.7o-4.i386.rpm
  
  found in the directory

    contrib/RPMS
  
  from Red Hat or one of its mirror sites.  Its MD5 checksum is:

    cbd0005199be7038e2b09f70473d59ba  dip-3.3.7o-4.i386.rpm
  
  Note that this RPM is in RPM 2.0 format and is not readily usable
  with CND 1.0.

IV. References

  CERT advisories:

    ftp://info.cert.org/pub/cert_advisories/CA-96.13.README
    ftp://info.cert.org/pub/cert_advisories/CA-96.13.dip_vul

  This and other Caldera security resources:

    http://www.caldera.com/tech-ref/cnd-1.0/security/